Bulk Extractor.

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem. Es gehört zur Kategorie Forensik und Incident Response der Cybersicherheit.

An open-source, parallelized forensic tool by Simson Garfinkel that streams through disk images, memory dumps, and arbitrary binary blobs to extract structured artifacts — emails, URLs, credit-card numbers, network packets — without first parsing a filesystem.

Bulk Extractor is a parallelized, filesystem-agnostic forensic carving and feature-extraction tool originally developed by Simson Garfinkel and maintained by the Naval Postgraduate School. Given any input — raw disk image, RAM dump, pcap, container image, or even a corrupt filesystem — it sweeps the bytes in parallel and writes 'feature files' containing extracted artifacts: email addresses, URLs, domains, IPv4/IPv6 addresses, credit-card numbers, EXIF metadata, JSON fragments, ELF/PE headers, ZIP entries, decompressed gzip streams, and more. Because it does not require a parseable filesystem, Bulk Extractor is the standard first-pass tool when investigating heavily damaged disks, unallocated space, swap, hiberfil, memory dumps, or unknown binary blobs. Output is straightforward text or histogram files that integrate easily with Autopsy, the Sleuth Kit, or custom analysis pipelines. The 2.0 series (2023) added improved Windows support, better Unicode handling, and cleaner JSON output.

Schutzmaßnahmen gegen Bulk Extractor kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.

Übliche alternative Bezeichnungen: bulk_extractor, Garfinkel bulk_extractor.